At some point in every security conversation, somebody drops the phrase "NIST framework," and the room quietly splits into people who nod and people who make a note to google it later. If you're in the second group: NIST is the National Institute of Standards and Technology, a US federal agency, and its Cybersecurity Framework (the CSF) is a free document that organizes security work into plain categories. It was written so that organizations of any size could talk about security in the same terms. For a small business, it's genuinely useful, as long as you treat it as what it is: a map, not a mandate.
Nobody is going to audit you against it
Let's clear this up first, because it's the most common misunderstanding. The CSF is voluntary. There is no CSF certification, no CSF auditor, no CSF fine. (Some government contracts require specific NIST standards like 800-171, which is a different, binding animal. If you have defense contracts, that's its own conversation.) The CSF's job is to give you a complete picture of what security work exists, so you can see which parts you're doing and which parts you've never thought about. That's the whole trick: most small businesses don't fail at security because they did things badly. They fail because entire categories never occurred to anyone.
The six functions, translated
The framework organizes everything under six functions. Version 2.0, released in 2024, added the sixth (Govern) and, notably, was rewritten to apply to small organizations, not just critical infrastructure. Here's each one as a question a business owner can actually answer:
- Govern: who owns this? Someone is responsible for security decisions, there's some policy about how things are done, and vendors get at least a sniff test. In a 20-person company this can be one owner-level person and three pages of policy. The point is that it's assigned, not ambient.
- Identify: what do we have? An inventory of devices, accounts, software, data, and vendors, plus an honest look at which of it matters most. You cannot protect the server you forgot exists, and we find forgotten servers constantly.
- Protect: what stops bad things? The controls everyone pictures: MFA, patching, endpoint protection, access limited by role, encrypted laptops, backups, staff training. This is where nearly all small-business security budget already goes, which is exactly why the map matters. Protect is one function out of six.
- Detect: would we even know? If an attacker logged into your email from another country last Tuesday, would anything alert anyone? For most small businesses the honest answer is no. Fixes here are cheaper than they sound: alerting built into Microsoft 365 and Google Workspace, an endpoint detection product, or a monitoring service watching it.
- Respond: what do we do when it happens? A written, one-page plan: who to call (IT, insurer, lawyer, bank), who decides to shut things down, how you communicate if email is compromised. Written at 2 p.m. on a calm day, not at 2 a.m. during the incident.
- Recover: how do we get back? Backups that are tested by actually restoring, an idea of how long rebuilding takes, and priorities for what comes back first. Backups nobody has ever restored are a hope, not a plan.
Using it to find gaps without drowning
The full CSF breaks those functions into dozens of categories and subcategories, and this is where small businesses drown if they try to be thorough. Don't be thorough. Do this instead:
- Score yourself at the function level. Six functions, rated honestly from 0 to 3. Takes an hour with whoever knows your IT. Most small businesses land around a 2 on Protect and a 0 or 1 on Detect, Respond, and Govern. That lopsided shape is normal, and seeing it is the entire value of the exercise.
- Pick the worst function, not more Protect. The instinct is always to buy another protection tool. The map usually says your next dollar belongs in Detect or Respond, where you're at zero. Going from 0 to 1 in a weak function beats going from 2 to 2.5 in a strong one every time.
- Fix three things a quarter. Write down the three gaps you'll close this quarter, close them, rescore next quarter. That cadence is sustainable forever. A 40-page gap assessment that names everything and gets nothing done is worse than no assessment, and we've inherited plenty of those.
Side benefit: cyber insurance applications and customer security questionnaires ask questions that fall neatly into these same six buckets. Once you've done the self-score, those forms stop being scary, because you already know your answers and your gaps.
How to know you're using it right
You can name your weakest function without looking it up. Your last quarter's three fixes are done, and this quarter's three are named. Spending follows the gaps instead of following whichever vendor called last. And when someone asks "are we secure?", the answer isn't yes or no, it's "here's our map, here's where we're strong, here's what we're fixing next." That answer is what the framework is for. We run this exact exercise with clients as a first engagement, and the hour of honest scoring routinely reshapes the whole IT budget that follows it.
Stuck on this, or want it done for you? That's the job.
Email us →